On 16/03/10 07:43, Ananda Samaddar wrote:
On Tue, 16 Mar 2010 07:29:45 +1000
Allan McRae<allan@xxxxxxxxxxxxx> wrote:
As an aside, I would like to see some numbers on where we could
improve in this area. I have been following the CVE announcements
and several other distros security releases for the past few months
and from what I see, I believe Arch is mostly ahead of the game.
Following the latest upstream releases has its advantages.
Allan
This may be true in the sense that by using the latest packages we are
incorporating security fixes as they are released by default. I take
issue with the fact that there's no dedicated team and nothing in place
to deal with security alerts.
There is no dedicated team, but as I said, we appear to be mostly ahead
of the game in this respect. I would be interested to see how many
packages suffer from security issues that we miss.
The other issue being the lack of signed packages.
Providing code is the way to fix this. There is a good start that has
been made and it mostly needs someone dedicated to finish it off.
I don't know how much of a problem this is for other Arch
users.
Would there be any enthusiasm for a dedicated security team? I feel
strongly enough about it that if something can't be done then I'm
switching to another distro. Despite the fact that I really like Arch,
it's one deficiency is a pretty glaring one in my opinion. I hope this
doesn't turn into a flamefest and my opinions are by no means meant to
be a slight on the Arch devs or community.
Sure there is enthusiasm for such a venture, at least judging by how
many times this has been bought up in the past. I think one or two of
those times an actual project started up but then died. So it appears
enthusiasm yes, continual motivation no (at least up until now...).
And, this is a great candidate for a community project. A group could
monitor security issues and file bugs to get the devs to fix them. This
is the way all Arch projects start and if they are useful, they may get
taken on board and made official.
Allan